Presentation is loading. Please wait.

Presentation is loading. Please wait.

Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp

Published byEdith Port Modified over 9 years ago

Similar presentations

Presentation on theme: "Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp"— Presentation transcript:

1 Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp eweintra@jhmi.edueweintra@jhmi.edu Patrick.Ostendarp@jhu.eduPatrick.Ostendarp@jhu.edu

2 Background First foray into MFA (2009) – system administrators only –Solution had to support Windows & Linux –Investigated a few vendors. Went with Aladdin (now Safenet) –Dual role tokens Used PKI environment for smartcard component – Windows –Created secondary accounts for system access. Accounts configured in AD for ‘Smart card is required for interactive logon’ Used radius connections for OTP verification - Linux

3 Background - Deployment Standard token deployment –Started with internal IT –Expanded to additional admins –Eventually made mandatory for all system administrators in central IT Normal feedback –Admins did not like relying on token –Plenty of ‘what-if’ scenarios Currently have 300+ admins with tokens

4 Background - Issues We allowed admins to create their own secondary accounts –Major mistake –No centralized management, reporting, monitoring, etc. Issues with certain *Nix flavors connecting to radius Standard token issues –Broken –Lost

5 Next up – MFA for Users Johns Hopkins uses CA SiteMinder as their primary WebSSO platform –Don’t worry – we have a large Shibboleth deployment too Investigated two primary solutions –CA Riskminder / Authminder –SecureAuth Focused more on risk analysis aspects of solution vs. second factor authentication options Use-case driving need was VPN protection

6 MFA for Users – Take 2 Decided to purchase Authminder / Riskminder solution –Ended up scrapping the product due to multiple incompatibility issues not found in proof-of-concept Used lessons learned from project to develop in-house risk based analysis solution called Enterprise Step-up Authentication (ESA) –We’ll get into more detail in a minute First MFA options –SMS OTP –Safenet OTP –Secret Questions and Answers

7 ESA - Risk Analysis On Login Page –Browser/Device Fingerprint built and passed along to risk analysis engine –https://github.com/Valve/fingerprintjshttps://github.com/Valve/fingerprintjs After successful ID/PW Verification, Check: –Tables with User / Device / IP blocked/untrusted/allowed –User / Device velocity checks (how many attempts in an hour) –Geolocation (Current IP vs Last IP) Freegeoip.net –Device / User profile matching (Have we seen this pair before?) Exact Match versus Close Match

8 ESA – Levels of Protection Standard –90% of our WebSSO sites –Risk Only checks. No MFA unless high risk determined Step-up –Require step-up authentication if new device / user combination –Save information for 60 days Always Step-up –Primarily for IT Admin sites –Require step-up even if device / user combination is found

9 MFA for Users – What’s Next? Production Beta of TOTP using Google Authenticator –Many users have short code SMS blocked –Out of the country / no cell coverage / etc. Expanding radius offering to support TOTP –Allow system admins to use Google Authenticator instead of Safenet token Adding a web service component to ESA –Allow for check of client after authentication Improving self-service –Creating a myIT page for users and system admins to manage information about their IT profile

10 Demonstration

Download ppt "Johns Hopkins MFA & Risk Analysis Presented by: Etan Weintraub & Patrick Ostendarp"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014
© 2011 All rights reserved to Ceedo. Ceedo - Flexible Computing Certificate-Based Authentication (CBA - 2FA) The organization MUST be able to positively.

© 2011 All rights reserved to Ceedo. Ceedo - Flexible Computing Certificate-Based Authentication (CBA - 2FA) The organization MUST be able to positively.
The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.

The VeriTrak Enterprise Application Created for The Verification Company By CTO Source, Inc. This presentation provides an overview of the system and links.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Designed By: Technical Training Department

Designed By: Technical Training Department

Similar presentations

Ads by Google